Hello and welcome to another penetration. Testing execution Standard discussion. Today we're going to be focusing on external foot printing
now a quick disclaimer. Pee Test videos do cover tools that could be used for system hacking. Any tools discussed or used in any demonstrations should be understood and researched by the user prior to their use. Please research your laws and regulations regarding the use of such tools in your given areas
to ensure that you do not violate any laws.
Now let's jump into our objectives for the discussion today. So we're going to discuss what foot printing is
why we do foot printing what is external foot printing, passive reconnaissance and active foot printing. Some of this will overlay with, of course, open source intelligence gathering, but we're going to be looking directly at the activity involved in foot printing and some of the tools.
So what is foot printing? Well, foot printing in this case is external information gathering okay for external purposes here,
also known as his foot printing
in a phase of information gathering that consists of interaction with the target in order to gain information from the perspective of an external organization, external entity or information external to the organization.
Now, why do we do footprint? And why is it important? Well, much information can be gathered by interacting with the target. And so, by probing a service or device, you can often create scenarios in which, um,
it can be fingerprinted on again. Footprint, fingerprinted, or even more simply, a banner can be produced, which could identify the device. So this step is necessary to gather more information about your targets. Your goal after this section is a prioritized list of targets. Now, you may have noticed the term that was put in here
fingerprinted, so footprint and a fingerprint ID will mean the same things in our discussions here.
Now, the goal again of this is to say, Okay, you gave me the these list of targets. I did Cem fingerprinting some foot printing. And here's what I came back with. Is this in scope? Is this a critical system? Is this something that we should be attacking? And typically, after you do some device identification, identification and service identification,
you'll be working to come up with a way to look for vulnerabilities, either
through manual analysis of the service and the system or through the use of automated tools to do targeted scans against critical systems
to identify a potential attack vectors. Now let's talk about a little passive reconnaissance that we can do here
you can look up information about the target without them being able to detect that activity.
Ah, lot of times now. So, like, for I can, which is the one that we're using here in the US that each of these areas is just for different regions.
You would put who is in front of that so you would do who is dot and then the respective name. I can dot Oregon Anna, and what you'll do is you'll be able to search the domain.
So, like if I had a test company dot com, I could put that in and find particulars about who owns that administrative addresses things of that nature. Ah, lot of organizations now are making that information private. So who is is not always going to provide you information?
But if it does, when you're working with maybe a mid sized to a small size business and they didn't make that information private, it's definitely a great way to show them how that information's exposure could lead. Thio targeted attacks against the administrator of the domain
as well as open them up for other forms of solicitation. Like if they use their home
mailing address for the contact information, etcetera. So that could be very beneficial here in this passive reconnaissance area.
Now, another form is Google hacking. Um, exploit D B actually has a number of
search terms that you can use. And so each of these, as you can see here, would be the term used in the search, along with information specific to the organization and then off to the right here. We've got specific categories of data that that is hoping to find.
Now there are pages and pages of these Google hacks online on exploit D B. And as you can see here,
it's on exploit D B Google Hacking database
so very beneficial definitely would recommend taking the time to research these and understand how they could be used. This is if you're doing, especially if you're doing oh sent or information gathering and reconnaissance as the primary form of consulting that you do where you're building a profile for an organization or you're trying to understand
what data is out there and is exposed.
Google hacking is going to be a huge part of you looking for data sets and you looking for information. So
definitely take the time to research this there and entire courses that are built around Google hacking. And it's definitely worth understanding and utilizing in your testing process. Even if you don't use all of the strings
against a organization, you could pick maybe your top 20 your top 15 to search with to see what you get,
and that would at least help you to cover Maybe that level one in a bit of level two. With respect to your reconnaissance activities now, active foot printing would be again activities that could be detected by the organization.
And so some of these activities are things like port scanning, where we would use in map to scan a particular I P and we would do. TCP and UDP checks, maybe different levels of aggressiveness, and
you would attempt to solicit a response
from the firewall or from the device in question to then help us to determine what that device, maybe as well as if it is vulnerable to any service is better. Grabbing is another thing that we can do using like a tell Matt or grabbing header information. Whatever the case may be to attempt to identify again the device in its version and
that is based again on the response and what data it provides. There
S and M p sweeps zone transfer attempts. SMTP bounce back where we may send an email that has a known bad address and then attempt to gain information about the email server and what it is doing.
Some D. N s discovery activities and Web application discovery activities can also be key. And again, in this reconnaissance phase,
it's important. So this brings me back to an analogy
about sharpening and acts. And so if I know, I'm going to cut down the tree and spend four hours sharpening my ex time ever sharpening my axe s so that I can spend an hour cutting down the tree, we want to make sure that we take the time to understand what systems were there, how those systems work because there may be a vulnerability
that's in a service or system. That's not,
you know, going to be visible just from a standard port scan are just from a standard bender grab. We may need to gain access to additional details about back in systems so that we can then properly do vulnerability. Analysis.
Andi. Make a determination on how we may want to do an attack or how we may want to attempt an exploit. And it may be multifaceted
and that it's not, you know, run a tool and get into a system.
So all of these things are important, really. You should spend the majority of your time doing reconnaissance, foot printing and kind of building that profile and less time, probably on exploitation, unless you're trying to do a zero day angle, which we'll talk about elsewhere.
So a continuation on the active foot printing some tools that can be used in this case in map, which is probably a cornerstone for anyone who does any type of security testing de ns walk recon. Angie is a great tool for reconnaissance
on gaining multiple types of information about organizations.
Fierce is great. Firewall is great for Pharrell testing and things of that nature. So these are just a few tools. If you go to tools dot callie dot org's in You're using Callie Lennix Specifically, you can see a multitude of tools under the intelligence gathering component of Cali Lennox.
And if you're not using Callie Lennox, then you can Google. You know intelligence gathering tools and Google will provide you with many, many different tools that you can use on Windows based systems and other variants of operating systems as well. So with all that and non, let's do a quick check on learning.
So true or false, using Google hacking would be considered an active form of foot printing,
a k A. Fingerprinting.
So using Google hacking would be considered an active form of footprints.
Well, we have to remember that when we discussed it, we were discussing it under the terms of passive
foot printing, so in this case, it would not be active. Now
But if for some reason
you were to hit a KN organization's website and tried to pull documents directly from a server,
that could be considered active,
but in the context that we discussed Google hacking, we considered it to be a passive form of foot printing. So in this case, this statement is false, but if you hit a server or hit the client network,
there is a possibility that that could be picked up in detected Is active footprint. So being beat? Be sure that you keep that in mind when you're doing your testing and looking at the domain or the system that you're hitting when you're collecting documentation.
in summary, we discussed what footprint in our fingerprinting is. We discussed why we do foot printing or fingerprinting. We looked at external foot printing. We discussed passive reconnaissance, and we discussed active foot printing and reconnaissance as well.
Remember, there's a multitude of tools and techniques out there for doing this. Some folks
in the security testing spectrum do this for a living. They Onley consult on and do information gathering and provide context about an organization and data exposure and things of that nature. And so there is a multitude of things as faras courses, documents and other informational pieces out there about specific tools and techniques.
And so I encourage you to continue to review ways to do external foot printing and fingerprinting and make that a part of your testing regiment. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again. Sin